CVE-2025-41760
Bypass of Traffic Filtering in UBR Due to Empty Pass Filter
Publication date: 2026-03-09
Last updated on: 2026-03-11
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mbs-solutions | universal_bacnet_router_firmware | to 6.0.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when an administrator tries to block all network traffic by configuring a pass filter with an empty table. In the UBR system, an empty list does not actually block any traffic but instead allows all network traffic to pass through without any filtering.
How can this vulnerability impact me? :
Because an empty pass filter does not restrict any traffic, it can lead to unintended exposure of the network by allowing all traffic to pass unfiltered. This could result in sensitive or harmful traffic reaching protected systems, potentially compromising confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know